Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude fields from LinearRegression command/use subsearch to generate fields for LinearRergession ?

achervov
Engager
‎07-25-2018 03:03 AM

Consider fit LinearRegression
| fit LinearRegression "name2predict" from "f1" "f2" into "test_model"

Question 0
What are flexebilities defining the FEATURE LIST -- i.e. from "f1" "f2" ?

SubQuestion 1
Is it possible to write something like
NOT "f1" - exclude "f1"
or something like f1* OR f2*
etc ?

SubQuestion 2 Can we use somehow subsearch to generate fields list ?

If no simple way to do it what are some ways round ?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎07-25-2018 08:41 AM

If you wanted to exclude f1 then you should not include it as your explanatory field.. Why would you want to choose f1 OR f2? Why not just include both and let the machine determine which feature to put emphasis on? You can run | summary <model_name> to identify how much impact each feature has on the target function.

Why do you mean using a sub-search to generate a fields list? Are you referring to making the data available so you can fit your model? If so, then you can use whatever you want just as long as the data is available before the fit command. One thing to consider though is speed and scale. You need to make sure your search is fast so it can run on a consistent basis so the machine can keep learning and adapting

0 Karma
Reply

achervov
Engager
‎07-25-2018 11:43 PM

To make explicit description of fields names is very inconvenient in my case, because that names can be changed. I want to exclude very specific name like "_time" , but I do not want to exclude by previous "field - _time" command, because then it will dispappear from the whole pipiline, so it would be impossible to plot by next command "table _time, error". By using subsearch I mean something like [ | mcatalog | return ??? ] put such expression instead of explicit fields list.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...